210 likes | 364 Views
Breaking an Animated CAPTCHA Scheme. Vu Duc Nguyen, Yang- Wai Chow and Willy Susilo University of Wollongong. About CAPTCHA. CAPTCHA: Completely Automated Public Turing test to Tell Computers and Humans Apart. Other name: Human Interaction Proofs ( HIPs ). Easily solvable by humans.
E N D
Breaking an Animated CAPTCHA Scheme Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo University of Wollongong
About CAPTCHA Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme CAPTCHA: Completely Automated Public Turing test to Tell Computers and Humans Apart. Other name: Human Interaction Proofs (HIPs). Easily solvable by humans. Cannot be solved by current computer programs. Existing CAPTCHAs are mainly text-based on a static image.
About CAPTCHA Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Most of traditional text-based CAPTCHAs are known to be vulnerable against attacks.
About CAPTCHA • Easy for humans hard for computers? Not guaranteed to exist. Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Increase the security: distorting, blurring, rotation the text, overlaying of visual noise. But
Animated CAPTCHA Static vs. Animation: Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Animated CAPTCHAs has been proposed. Assumption : More usability: Animation makes increasing legibility for humans. More security: Distributing the information required to solve the CAPTCHA challenge over multiple animation frames.
Our questions Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Animated CAPTCHAs really provide more security ? How to break animated CAPTCHA and design secure one ?
Breaking HelloCaptcha • Flitter H-Mover Mass Flood Noisy Mosaic • Pop Up Roller Search light Smarties • Spread Fade Spring Swapper Text Flood Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme • Breaking a representative animated CAPTCHAs: HelloCaptcha • CAPTCHA provider: Affects many customer’s web sites if broken. • A variety of 84 different variations of 12 categories.
Outline Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme • Breaking HelloCaptcha. • Type Distinction. • Single Image Extraction. • By Pixel Delay Map (PDM). • By Catching Line (CL). • By Color Selection (CS). • Pre-Processing and Character Recognition. • Results and Lessons learned.
Breaking HelloCaptcha Results: Most of 84 types can correctly be distinguished 100%. Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme
Pixel Delay Map (PDM) • The PDM is an image resulting from the accumulation of the total amount of time that a pixel gets displayed in a color that is different from the background color. Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Feature: To get the human user’s attention, the text characters are displayed at certain fixed locations for longer periods of time
Pixel Delay Map (PDM) Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme PDM and extracted static image.
Pixel Delay Map (PDM) Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme PDM on all frames. PDMs constructed from consecutive 1/6 of the frames.
Catching Line (CL) Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Character moving areas. Selected frames and characters by “Catching line”.
Color Selection (CS) Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Characters separated based on color.
Pre-Processing on extracted single image Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Noise removal. Refine by filling. Shape removal.
Character Recognition by OCR program Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Use ABBYYFineReader 11. Use existing embedded training database and/or own training set .
Experimental Results Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme 8,400 animated CAPTCHA samples were collected from the HelloCaptcha website. Accuracy of breaking (i.e. correctly recognizing all characters in the animated CAPTCHA challenges) ranges between 16% −100% of the time (wide accepted that more than 1% of the time is essentially broken). Attacking time: 4 secs/challenge.
Lessons learned • The number of frames. Frame 45 Frame 82 40ms 40ms 1000ms Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Delay periods:
Lessons learned Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme • Character positions: • The important information is emphasized by displaying it for longer. That can be exploited using the PDM method. • PDM was used to break 61 of the 84 different types and can be affected types from other sources:
Lessons learned Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme Moving direction : Only move or scale in the vertical direction can vulnerable to attacks. Use of color or luminance: Less is best Method of delivery: Gif, Flash or Video ?
Question ? Vu Duc Nguyen, Yang-Wai Chow and Willy Susilo Breaking an Animated CAPTCHA Scheme